Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume 7 of the Microsoft(R) Security Intelligence Report An in-depth perspective on malicious and unwanted software, software exploits, security breaches and software vulnerabilities including data derived from more than 450 million computers worldwide and some of the busiest services on the Internet, such as Windows Live Hotmail and Bing. Watch the interview and download the full report.http://www.sans.org/info/54798

TOP OF THE NEWS

The European Parliament has voted down an interim agreement that would have allowed the US access to EU residents' banking transaction information held in the SWIFT system. The US has been analyzing European banking transactions since late 2001 as part of its efforts to fight terrorism, but that fact was not made public until 2006. European Ministers had passed the interim agreement to allow continued US monitoring of SWIFT late last year; the European Parliament's rejection of that agreement appears to be focused on privacy issues. -http://www.theregister.co.uk/2010/02/11/europe_rejects_data_share/-http://www.h-online.com/security/news/item/European-Parliament-blocks-US-access-to-SWIFT-data-928492.html-http://news.bbc.co.uk/2/hi/europe/8510471.stm[Editor's Note (Honan): This interim agreement was brought in as a result of the US accessing every banking transaction by EU citizens and companies via the Swift system since 2001 in direct contravention of the EU Data Protection Directive. The overwhelming vote in favour of rejecting the interim agreement, 378 to 196, demonstrates that there are still grave concerns regarding privacy. So the message should be clear, if the US wants to monitor the financial transactions of EU citizens it must do so in accordance with EU law. ]

Massachusetts Consumer Data Protection Law Set to Take Effect Next Month (February 11, 2010)

A stringent Massachusetts consumer data protection law is slated to take effect on March 1, 2010. It will require organizations conducting business with Massachusetts residents to encrypt consumer data stored on portable media devices and all data transmitted over public or wireless networks. Organizations will also be required to maintain records of exactly what consumer data they retain. The law was initially scheduled to take effect January 1, 2009, but the deadline has been extended twice. -http://www.computerworld.com/s/article/9155978/Deadline_looms_for_Mass._data_protection_law?taxonomyId=17[Editor's Note (Skoudis): We need to get to a world where data at rest is encrypted by default. Unencrypted data should be the exception, not the rule.

(Schultz: This Massachusetts law is in my mind one of the most significant security-related pieces of legislation to ever be passed. Hopefully this law will set a precedent for passage of similar legislation in other states. ]

Cyber Warfare Part of Israeli Defense Arsenal (February 9, 2010)

Speaking at the Institute for National Security Studies (INSS), Israeli chief of military intelligence Maj. Gen. Amos Yadlin noted that "using computer networks for espionage is as important to warfare today as the advent of air support was to warfare in the 20th century," giving power to small countries that was once reserved for just large countries. Yadlin said the Israeli military is developing an "internet warfare" team. There is evidence that Israeli forces used cyber warfare techniques to help jets launch a strike on a suspected Syrian nuclear facility under construction. Israeli cyber warfare appears to be focused on thwarting Iran's development of uranium enrichment plants and other nuclear-related efforts. Newspaper reports indicate that Israeli intelligence attempted to plant software in equipment that could damage Iranian nuclear program information systems. In these cases, the targets are systems that are not Internet connected, so the malware is hidden on mobile devices such as cell phones and computers that could be connected to the isolated information systems. -http://www.aviationweek.com/aw/generic/story_channel.jsp?channel=defense&id=news/dti/2010/02/01/DT_02_01_2010_p39-198440.xml&headline=Israel%20Adds%20Cyber-Attack%20to%20IDF[Editor's Note (Pescatore): Cyber warfare has been part of every major country's military arsenal for over a decade now.

(Skoudis): This is the new normal. Countries are using integrated cyber operations for intelligence and offensive military operations. It's cost effective, supports achieving military objectives, and has relatively lower risk than other methods.

(Schultz): It is a cheaper, less risky form of spying. Consider the risks and costs of training spies and getting them placed in positions in which they are able to steal information versus social engineering, breaking into systems, and/or installing malware in systems while the perpetrator works from home. The risks-rewards ratio of the later is much more favorable. ]*************************** Sponsored Links ***************************

1) Replace Cisco CS-MARS from the MARS creators. Upgrade to AccelOps at your current MARS maintenance fee and receive a full year of maintenance & support.http://www.sans.org/info/54803

Man Charged in Click Fraud Scheme (February 11, 2010)

Christopher Kennedy has been charged with developing and distributing click fraud software that allegedly cheated online auction site eBay out of thousands of dollars. The software, Saucekit, manipulates software cookies to make it appear as if site visitors have been clicking on eBay advertisements; eBay pays sites that direct users to its site with click-throughs by identifying information in the cookies. Last March, eBay sent Kennedy a cease-and-desist order that Kennedy ignored. eBay also filed a civil suit before involving police. Kennedy is facing one count of wire fraud; he could be sentenced to up to five years in prison and fined US $250,000. -http://www.securecomputing.net.au/News/166931,developer-charged-with-cookie-scam-on-ebay.aspx[Editor's Note (Pescatore): Bot-compromised PCs have been driving click fraud rates back up, after click fraud rates had declined a bit in early 2009. Going after identified bad guys is good but the online advertising industry has to invest in being more aggressive about the auditing it does to verify the legitimacy of ad viewing/click-through rate claims - just as the print and radio and TV advertising industries before them had to do. ]

California Governor Arnold Schwarzenegger has signed an executive order that will guide improvements to the state's information technology systems. The order "will standardize IT governance and information security, and increase transparency in IT spending." The order requires all state agencies to appoint CIOs and information security officers. The order also provides for consolidation of services to reduce data center space by 50 percent by July 2011 and reduce IT operations energy usage 30 percent by July 2012. -http://gov.ca.gov/press-release/14406/-http://www.informationweek.com/news/government/state-local/showArticle.jhtml?articleID=222700759&subSection=News[Editor's Note (Pescatore): Some good stuff in there on formalizing the CISO-like role at agencies and departments. But way too much about centralization and standardization as the answer to everything, and way too little about making sure avoiding vulnerabilities gets baked in across IT operations vs. just more monitoring to know when vulnerabilities get exploited. ]

Western security experts remain unconvinced that Chinese authorities' shutdown of a known hacker training website indicates a real change in attitudes toward malicious cyber activity. Although three people have been arrested and hundreds of thousands of dollars worth of equipment and money have been seized, the servers allegedly used in the attacks against Google and other US companies remain online and their operators have not been arrested. Some believe that the arrests and seizure are just "window dressing," and that the climate amenable to the attacks has not changed. -http://www.nytimes.com/2010/02/08/world/asia/09hacker.html?partner=rss&emc=rss

Operation Aurora Attacks Continuing (February 10, 2010)

The attacks that targeted Google, Adobe and other US companies are continuing. Dubbed Operation Aurora, the attacks have affected considerably more than the 30 companies that were originally reported. Experts say they are getting closer to identifying the author or authors of the malware used in the attacks. While there is no direct forensic evidence linking the Chinese government to the attacks, there are hints in the code that link it to the Chinese language. -http://www.darkreading.com/vulnerability_management/security/attacks/showArticle.jhtml?articleID=222700786**********************************************************************

The Editorial Board of SANS NewsBites

Eugene Schultz, Ph.D., CISM, CISSP is CTO of Emagined Security and the author/co-author of books on Unix security, Internet security, Windows NT/2000 security, incident response, and intrusion detection and prevention. He was also the co-founder and original project manager of the Department of Energy's Computer Incident Advisory Capability (CIAC)

John Pescatore is Vice President at Gartner Inc.; he has worked in computer and network security since 1978.

Stephen Northcutt founded the GIAC certification and currently serves as President of the SANS Technology Institute, a post graduate level IT Security College, www.sans.edu.

Prof. Howard A. Schmidt is the Cyber Coordinator for the President of the United States

Dr. Johannes Ullrich is Chief Technology Officer of the Internet Storm Center and Dean of the Faculty of the graduate school at the SANS Technology Institute.

Ed Skoudis is co-founder of Inguardians, a security research and consulting firm, and author and lead instructor of the SANS Hacker Exploits and Incident Handling course.

Rohit Dhamankar is the Director of Security Research at TippingPoint, where he leads the Digital Vaccine and ThreatLinQ groups. His group develops protection filters to address vulnerabilities, viruses, worms, Trojans, P2P, spyware, and other applications for use in TippingPoint's Intrusion Prevention Systems.

Tom Liston is a Senior Security Consultant and Malware Analyst for Inguardians, a handler for the SANS Institute's Internet Storm Center, and co-author of the book Counter Hack Reloaded.

Dr. Eric Cole is an instructor, author and fellow with The SANS Institute. He has written five books, including Insider Threat and he is a senior Lockheed Martin Fellow.

Ron Dick directed the National Infrastructure Protection Center (NIPC) at the FBI and is the incoming President of the InfraGard National Members Alliance - with 22,000 members.

Mason Brown is one of a very small number of people in the information security field who have held a top management position in a Fortune 50 company (Alcoa). He is leading SANS' global initiative to improve application security.

David Hoelzer is the director of research & principal examiner for Enclave Forensics and a senior fellow with the SANS Technology Institute.

Mark Weatherford, CISSP, CISM, is Chief Information Security Officer of the State of California.

Alan Paller is director of research at the SANS Institute

Marcus J. Ranum built the first firewall for the White House and is widely recognized as a security products designer and industry innovator.

Clint Kreitner is the founding President and CEO of The Center for Internet Security.

Brian Honan is an independent security consultant based in Dublin, Ireland.

David Turley is SANS infrastructure manager and serves as production manager and final editor on SANS NewsBites.

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit http://portal.sans.org/